Attacks, such as attacks utilizing flooding, denial of service, DDoS, viruses, worms, trojan horses, rouge applications, malware, exploits, spam, phishing, etc., are becoming an ever-increasing problem in today's Internet. For example, by sending large amounts of malicious packets, denial of service attacks can cause consumption and/or overload of scarce, limited, and/or non-renewable system and/or network resources, such as bandwidth, disk space, CPU time, and/or allocations thereof; destruction and/or alteration of configuration information, such as routing information; disruption of normal operating system functionality; and/or physical destruction and/or alteration of network components, etc.
DDoS attacks may be aimed at different types of services available on a network including, for example, DNS, HTTP (e.g., web traffic), encryption, time services, streaming services, VoIP. DDoS attacks may be aimed at vulnerable corporate services such as, for example, DNS that translates Internet names to addresses. DDoS attacks come in mainly two varieties. One attempts to shut down the DNS system specifically in relation to the target site so that no legitimate user can obtain a valid translation and make a request from that site, such as by altering the operation of the DNS server to provide an invalid translation. Another type of DDoS attack attempts to overload a DNS server directly with a flood of malicious packets that exceeds the capacity of the server, thereby preventing access to all sites whose address translations are dependent thereon.
Once an attack is successfully detected, standard mitigation tactics are typically inadequate in resolving a DDoS attack. Typical mitigation policies involve discarding all packets destined to a victim server without analyzing whether the packets originated from a legitimate user or an attacker. Also, standard approaches do not offer the ability to export real-time data to other apparatuses, nor do they allow an operator to configure a flexible, customized policy. It should be noted that, in many cases, the malicious packets sent by the attackers have similar structure and layout which, if detected, may be used to drop the malicious packets.
As such, a new, scalable, and robust DDoS Detection and Mitigation approach with inherent intelligence, which addresses all the shortcomings discussed above, is desirable. Such an approach should be capable of maintaining accurate state information to check for anomalous traffic patterns (to detect a variety of high rate DDoS attacks), should be capable of distinguishing between an attacker and a legitimate user when an attack is detected, should allow an operator to configure a flexible mitigation policy, and should be capable of operating without degrading the overall system performance (forwarding data path or control plane CPU).